Users who have forked Malcolm on [GitHub]({{ site.github.repository_url }}) can use GitHub-hosted runners to build Malcolm images, as well as sensor and Malcolm installer ISOs, and push those images to GitHub's container registry.
The resulting images are named according to the pattern
(e.g., if the user has forked Malcolm with the GitHub user romeogdetlevjr
, the Arkime
container built for the main
branch would be named
). To run a local instance of Malcolm using these images instead of the official
ones, users will need to edit their docker-compose.yml
file(s) and replace the image:
tags according to this new pattern, or use the Bash helper script ./shared/bin/
to pull and re-tag the images.
[Workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided that contain instructions to build the images using GitHub-hosted runners, as well as sensor and Malcolm installer ISOs.
This document outlines the steps needed to configure and use GitHub runners to build Malcolm images.
Users should log into GitHub and navigate to their Malcolm fork. Click ⚙ Settings along the top of the page, then open the ▶ Actions menu from the left panel and select General.
Select Allow username, and select non-username, actions and reusable workflows and check the boxes for Allow actions created by GitHub and Allow actions by Marketplace verified creators. Malcolm's workflows also use a third-party action (styfle/cancel-workflow-action) for canceling running workflows when new ones are started, so add the text styfle/cancel-workflow-action@*,
under Allow specified actions and reusable workflows. Click Save underneath that section.
Under Fork pull request workflows from outside collaborators, select Require approval for all outside collaborators (or read Approving workflow runs from public forks and make another selection). Click Save for that section.
Under Workflow permissions, select Read and write permissions to allow the GitHub workflow actions to write packages to the container registry. Malcolm workflows do not create and approve pull request, so Allow GitHub Actions to create and approve pull requests may be left unchecked. Click Save for that section.
Expand ✴ Secrets and variables in the left menu panel under Security, then select Actions from that menu.
Malcolm uses MaxMind's free GeoLite2 databases for GeoIP lookups. As of December 30, 2019, these databases are no longer available for download via a public URL. Instead, they must be downloaded using a MaxMind license key (available without charge from MaxMind). This license key should be specified here as a repository secret so that the workflows may download the GeoLite2 databases to embed into the container images that use them. Keep in mind that MaxMind has a daily rate for the number of downloads allowed per license key.
Click New repository secret and create a secret with the name MAXMIND_GEOIP_DB_LICENSE_KEY
and the Secret value containing the user's free license key obtained from MaxMind. Then click Add secret. Click New repository secret and create a secret with the name MAXMIND_GEOIP_DB_LICENSE_KEY
and the Secret value containing the user's free license key obtained from MaxMind. Then click Add secret.
As an alternative to (or fallback for) MAXMIND_GEOIP_DB_LICENSE_KEY
, a URL prefix may be specified in MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL
) which will be used as a fallback. This URL should serve up .tar.gz
files in the same format as those provided by the official source:
$ ls
GeoLite2-ASN.mmdb.tar.gz GeoLite2-City.mmdb.tar.gz GeoLite2-Country.mmdb.tar.gz
$ for FILE in *.tar.gz; do tar -tvf "$FILE"; done
drwxr-xr-x user/user 0 2024-09-17 14:34 GeoLite2-ASN/
-rw-r--r-- user/user 8655479 2024-09-17 13:48 GeoLite2-ASN/GeoLite2-ASN.mmdb
drwxr-xr-x user/user 0 2024-09-17 14:34 GeoLite2-City/
-rw-r--r-- user/user 61133703 2024-09-17 13:48 GeoLite2-City/GeoLite2-City.mmdb
drwxr-xr-x user/user 0 2024-09-17 14:34 GeoLite2-Country/
-rw-r--r-- user/user 7529760 2024-09-17 13:48 GeoLite2-Country/GeoLite2-Country.mmdb
Click the ▶ Actions tab along the top of the page. Users will be prompted with this message:
If desired, the [Malcolm workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) may be reviewed here prior to enabling them. Click I understand my workflows, go ahead and enable them to enable these workflows on the user's Malcolm fork.
Once workflows have been enabled, users are presented with a view of past workflow runs, which will initially be empty:
Initiate a test workflow run by clicking on a workflow from the menu on the left (dirinit-build-and-push-ghcr
is one that will build quickly). Expand the Run workflow ⛛ menu on the right hand side of the page, then click the Run workflow button to initiate the build.
Users will be presented with a Workflow run was successfully requested message and will notice that a workflow run is in progress:
Depending on which workflow was run -- some of Malcolm's workflows will complete in less than a minute, while others may take up to an hour to finish -- the icon to the left of the workflow run should show a white check mark with a green background (✅) to indicate it completed successfully. Clicking on the name of the workflow run (e.g., dirinit-build-and-push-ghcr
) will show details about its execution:
Further details, including the output of the build jobs themselves, can be examined by clicking on a job from the menu on the left side of the screen and expanding the sections of interest that are displayed on the right. Most of the details relevant to a build will be under a step called Build and push.
As the product of Malcolm's workflow runs are container images pushed to GitHub's container registry, users can verify the image was built and pushed by navigating back to the main page of their Malcolm fork and clicking Packages from the right panel of that page, or by navigating to
. A list of the packages published is displayed:
Clicking on a package name will show details about that package. Note that most Malcolm container images are built with two tags, one for x86-64 platforms tagged with the branch name (main
) and another for arm64 platforms tagged with the branch name and -arm64
[Malcolm's workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are configured to build when any of the following triggers occur (found in the on:
section at the top of each workflow file):
- Per container when files relevant to that container are pushed to the repository
- The file '.trigger_workflow_build' may be modified and pushed (its contents are irrelevant) to trigger all containers' builds.
- Per container upon a workflow dispatch (e.g., when clicking the Run workflow button as described in the example above or via API)
- Repository-wide upon a repository dispatch executed via API
These triggers may be modified according to the users' needs.
Each container build workflow actually runs two paths in parallel: one for building and pushing the x86-64 images and one for building and pushing the arm64 images. As of the writing of this document, Arm-based Linux runners are not yet publicly available (but are expected to be offered for open source and personal accounts by the end of 2024). For this reason, the arm64 builds are emulated with QEMU. These emulated builds take much longer than their native x86-64 counterparts. Users who do not need the arm64 images may comment out that platform (by adding a #
to the beginning of its line) under jobs.docker.strategy.matrix.platform
in the workflow YML file.
As mentioned earlier, Malcolm images built using the instructions in this document are are named according to the pattern
. However, note that the image:
values found in [docker-compose.yml
]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/docker-compose.yml) (and in the Kubernetes [manifests]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/)) look like{{ site.malcolm.version }}
, using the OpenSearch container as an example. To run a local instance of Malcolm using these images instead of the official
ones, users will need to edit their docker-compose.yml
file(s) and replace the image:
tags according to this new pattern, or use the bash helper script [./scripts/
]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/ to pull the repository images and re-tag them with
and the current Malcolm version (e.g., {{ site.malcolm.version }}
Before explaining that script, a discussion of the workflow files for the Hedgehog Linux ([hedgehog-iso-build-docker-wrap-push-ghcr.yml
]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml)) and Malcolm ([malcolm-iso-build-docker-wrap-push-ghcr.yml
]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml)) installer ISOs is warranted. The installer images are ISO 9660-formatted files, not container images, so one may reasonably wonder about the purpose of the
images pushed to
Examining [malcolm-iso/Dockerfile
]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/malcolm-iso/Dockerfile) and [hedgehog-iso/Dockerfile
]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/hedgehog-iso/Dockerfile), one will see that these container images are just thin wrappers around the ISO 9660 image files built during their respective workflows. These wrapper images serve two purposes:
- To provide an HTTP server from which the ISO itself can be downloaded
- To boot a live ISO image in QEMU (based on
Since the Malcolm Malcolm ([malcolm-iso-build-docker-wrap-push-ghcr.yml ]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml)) installer ISO workflow also includes a snapshot of the rest of the Malcolm container images (built from the user's Malcolm fork as described above) in its file system, it should not be executed until all of the other container images have been built and pushed at least once. In other words, the Malcolm installer ISO will contain the container images from the fork's most recent workflow runs.
Running [
]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/ presents the following menu:
$ ./scripts/
0 pull and extract everything
1 ExtractAndLoadImagesFromGithubWorkflowBuildISO
2 ExtractISOsFromGithubWorkflowBuilds
3 GithubTriggerPackagesBuild
4 PullAndTagGithubWorkflowImages
5 PullAndTagGithubWorkflowISOImages
These menu options are described below:
- pull and extract everything
- This option is the same as if the user had selected steps 5, 1, 2, and 4 in that order. It will result in the pulling of the Malcolm and Hedgehog Linux installer ISO wrapper container images from and the loading of the rest of the Malcolm container images from the copy stored internally in the ISO's file system (to conserve bandwidth).
- ExtractAndLoadImagesFromGithubWorkflowBuildISO
- This option extracts and loads the Malcolm container images (built from the user's Malcolm fork) that were embedded into the file system of the Malcolm installer ISO wrapper container image.
- ExtractISOsFromGithubWorkflowBuilds
- This option extracts the ISO 9660 image files for the Malcolm and Hedgehog Linux installer ISOs from their respective wrapper container images, and writes these files (with the
extension) to the local file system.
- This option extracts the ISO 9660 image files for the Malcolm and Hedgehog Linux installer ISOs from their respective wrapper container images, and writes these files (with the
- GithubTriggerPackagesBuild
- This option will trigger a repository dispatch via the GitHub API using
. In order for this operation to work, an environment variable namedGITHUB_OAUTH_TOKEN
must be defined containing a personal access token created for your GitHub user account with the "Actions (write)" repository permission.
- This option will trigger a repository dispatch via the GitHub API using
- PullAndTagGithubWorkflowImages
- This option will pull latest Malcolm container images (excluding the installer ISO wrapper container images) from for the user's Malcolm fork, and re-tag them with
and the current Malcolm version (e.g.,{{ site.malcolm.version }}
) so that they may be run without modifying the localdocker-compose.yml
file. This is probably the option users will select most often. Note that this is different from the action performed in steps 1 and 0 above: this pulls the images directly from the container registry, it does not extract them from the Malcolm installer ISO wrapper container image.
- This option will pull latest Malcolm container images (excluding the installer ISO wrapper container images) from for the user's Malcolm fork, and re-tag them with
- PullAndTagGithubWorkflowISOImages
- This option will pull latest Malcolm installer ISO wrapper container images from for the user's Malcolm fork, and re-tag them with
and the current Malcolm version (e.g.,{{ site.malcolm.version }}
- This option will pull latest Malcolm installer ISO wrapper container images from for the user's Malcolm fork, and re-tag them with
The script can also be run non-interactively by specifying the option number on the command line (e.g., ./scripts/ 4
In addition to requiring Docker or Podman, some of the options above also require the xorriso and squashfs-tools packages to extract from the ISO 9660 image file embedded in the Malcolm installer ISO wrapper container image. Consult your distribution's documentation for how to install these tools (something like sudo apt-get -y install xorriso squashfs-tools
should work on distributions that use the apt package manager).
For example, here is a workflow for building the Malcolm container images using GitHub runners and pulling them from the container registry.
First, a build is initiated for all containers:
$ ./scripts/
0 pull and extract everything
1 ExtractAndLoadImagesFromGithubWorkflowBuildISO
2 ExtractISOsFromGithubWorkflowBuilds
3 GithubTriggerPackagesBuild
4 PullAndTagGithubWorkflowImages
5 PullAndTagGithubWorkflowISOImages
Issuing repository_dispatch on romeogdetlevjr/Malcolm
The user would then wait for about 45 minutes for the workflows to complete. These may be monitored at
, with an is:in_progress
filter to only show the workflows that are still executing. Remember that the arm64 builds will take much longer than the x86-64 builds; users working in an x86-64 environment may check on the status of a particular running workflow and know that it's safe to continue if the linux/amd64
job is complete even if the linux/arm64
job is still running.
Once all the workflows are finished, the containers may be pulled:
$ ./scripts/
0 pull and extract everything
1 ExtractAndLoadImagesFromGithubWorkflowBuildISO
2 ExtractISOsFromGithubWorkflowBuilds
3 GithubTriggerPackagesBuild
4 PullAndTagGithubWorkflowImages
5 PullAndTagGithubWorkflowISOImages
Pulling images from (main) and tagging as {{ site.malcolm.version }}...
main: Pulling from romeogdetlevjr/malcolm/api
Digest: sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Status: Image is up to date for
xxxxxxxxxxxx: Pull complete
main: Pulling from romeogdetlevjr/malcolm/zeek
Digest: sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Status: Image is up to date for
xxxxxxxxxxxx: Pull complete
Verify that the images were pulled. Note that users will see two tags for each image: one tagged with the username and branch (e.g.,
) and another tagged with
and the Malcolm version (e.g.,{{ site.malcolm.version }}
$ docker images | grep romeogdetlevjr/malcolm {{ site.malcolm.version }} xxxxxxxxxxxx 10 minutes ago 1.39GB main xxxxxxxxxxxx 10 minutes ago 1.39GB {{ site.malcolm.version }} xxxxxxxxxxxx 13 minutes ago 1.55GB main xxxxxxxxxxxx 13 minutes ago 1.55GB {{ site.malcolm.version }} xxxxxxxxxxxx 14 minutes ago 339MB main xxxxxxxxxxxx 14 minutes ago 339MB {{ site.malcolm.version }} xxxxxxxxxxxx 15 minutes ago 712MB main xxxxxxxxxxxx 15 minutes ago 712MB {{ site.malcolm.version }} xxxxxxxxxxxx 15 minutes ago 55.4MB main xxxxxxxxxxxx 15 minutes ago 55.4MB {{ site.malcolm.version }} xxxxxxxxxxxx 16 minutes ago 160MB main xxxxxxxxxxxx 16 minutes ago 160MB {{ site.malcolm.version }} xxxxxxxxxxxx 16 minutes ago 137MB main xxxxxxxxxxxx 16 minutes ago 137MB {{ site.malcolm.version }} xxxxxxxxxxxx 16 minutes ago 246MB main xxxxxxxxxxxx 16 minutes ago 246MB main xxxxxxxxxxxx 16 minutes ago 250MB {{ site.malcolm.version }} xxxxxxxxxxxx 16 minutes ago 250MB {{ site.malcolm.version }} xxxxxxxxxxxx 16 minutes ago 1.49GB main xxxxxxxxxxxx 16 minutes ago 1.49GB {{ site.malcolm.version }} xxxxxxxxxxxx 17 minutes ago 1.66GB main xxxxxxxxxxxx 17 minutes ago 1.66GB main xxxxxxxxxxxx 18 minutes ago 405MB {{ site.malcolm.version }} xxxxxxxxxxxx 18 minutes ago 405MB main xxxxxxxxxxxx 18 minutes ago 303MB {{ site.malcolm.version }} xxxxxxxxxxxx 18 minutes ago 303MB {{ site.malcolm.version }} xxxxxxxxxxxx 18 minutes ago 802MB main xxxxxxxxxxxx 18 minutes ago 802MB {{ site.malcolm.version }} xxxxxxxxxxxx 18 minutes ago 1.42GB main xxxxxxxxxxxx 18 minutes ago 1.42GB {{ site.malcolm.version }} xxxxxxxxxxxx 18 minutes ago 176MB main xxxxxxxxxxxx 18 minutes ago 176MB {{ site.malcolm.version }} xxxxxxxxxxxx 18 minutes ago 233MB xxxxxxxxxxxx 18 minutes ago 233MB {{ site.malcolm.version }} xxxxxxxxxxxx 18 minutes ago 153MB main xxxxxxxxxxxx 18 minutes ago 153MB {{ site.malcolm.version }} xxxxxxxxxxxx 18 minutes ago 169MB main xxxxxxxxxxxx 18 minutes ago 169MB